Full Disclosure mailing list archives

Re: Google open redirect

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 8 Dec 2011 01:13:02 -0800

For example: did you know that if you click on a link from coredump.cx
to microsoft.com and it opens in a new window, then a second or two
later, that coredump.cx in the background can change the URL of the
microsoft.com window, and point it to evil.com? Heck, coredump.cx can
even wait until you navigate further down the microsoft.com website -
and detect that event programmatically. That behavior is enshrined
within the current design of the same-origin policy, and browser
vendors seem hesitant to touch it.


Here's a tiny PoC:
http://lcamtuf.coredump.cx/switch/

/mz

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Google open redirect secure poon (Dec 07)
- Re: Google open redirect Michele Orru (Dec 07)
- Re: Google open redirect Nick FitzGerald (Dec 07)
  - Re: Google open redirect Michal Zalewski (Dec 07)
    - Re: Google open redirect Luis Santana (Dec 07)
    - Re: Google open redirect Michal Zalewski (Dec 07)
    - Re: Google open redirect Michal Zalewski (Dec 08)
    - Re: Google open redirect Dave (Dec 08)
    - Re: Google open redirect Michal Zalewski (Dec 08)
    - Re: Google open redirect Marsh Ray (Dec 09)
    - Re: Google open redirect Michal Zalewski (Dec 09)
    - Re: Google open redirect Charles Morris (Dec 12)
    - Re: Google open redirect Valdis . Kletnieks (Dec 09)
    - Re: Google open redirect Marsh Ray (Dec 11)
    - Re: Google open redirect Dave (Dec 09)
    - Re: Google open redirect Tavis Ormandy (Dec 10)
    - Re: Google open redirect Marsh Ray (Dec 13)

(Thread continues...)